When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran’s heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can’t be detected by today’s defenses.

Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week’s Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.

“Please don’t do anything evil”

“If you put anything into your USB [slot], it extends a lot of trust,” Karsten Nohl, chief scientist at Security Research Labs in Berlin, told Ars. “Whatever it is, there could always be some code running in that device that runs maliciously. Every time anybody connects a USB device to your computer, you fully trust them with your computer. It’s the equivalent of [saying] ‘here’s my computer; I’m going to walk away for 10 minutes. Please don’t do anything evil.”

In many respects, the BadUSB hack is more pernicious than simply loading a USB stick with the kind of self-propagating malware used in the Stuxnet attack. For one thing, although the Black Hat demos feature only USB2 and USB3 sticks, BadUSB theoretically works on any type of USB device. And for another, it’s almost impossible to detect a tampered device without employing advanced forensic methods, such as physically disassembling and reverse engineering the device. Antivirus scans will turn up empty. Most analysis short of sophisticated techniques rely on the firmware itself, and that can’t be trusted.

“There’s no way to get the firmware without the help of the firmware, and if you ask the infected firmware, it will just lie to you,” Nohl explained.

Most troubling of all, BadUSB-corrupted devices are much harder to disinfect. Reformatting an infected USB stick, for example, will do nothing to remove the malicious programming. Because the tampering resides in the firmware, the malware can be eliminated only by replacing the booby-trapped device software with the original firmware. Given the possibility that traditional computer malware could be programmed to use BadUSB techniques to infect any attached devices, the attack could change the entire regimen currently used to respond to computer compromises.

“The next time you have a virus on your computer, you pretty much have to assume your peripherals are infected, and computers of other people who connected to those peripherals are infected,” Nohl said. He said the attack is similar to boot sector infections affecting hard drives and removable storage. A key difference, however, is that most boot sector compromises can be detected by antivirus scans. BadUSB infections can not.

Transforming a brand-name USB stick into a computer keyboard that opens a command window on an attached computer and enters commands that cause it to download and install malicious software. The technique can easily work around the standard user access control in Windows since the protection requires only that users click OK.

Transforming a brand-name USB stick into a network card. Once active, the network card causes the computer to use a domain name system server that causes computers to connect to malicious sites impersonating legitimate destinations.

Programming a brand-name USB stick to surreptitiously inject a payload into a legitimate Ubuntu installation file. The file is loaded onto the drive when attached to one computer. The tampering happens only after it is plugged into a separate computer that has no operating system present on it. The demo underscores how even using a trusted computer to verify the cryptographic hash of a file isn’t adequate protection against the attack.

No easy fix

Nohl said there are few ways ordinary people can protect themselves against BadUSB attacks short of limiting the devices that get attached to a computer to those that have remained in the physical possession of a trusted party at all times. The problem, he said, is that USB devices were never designed to prevent the types of exploits his team devised. By contrast, peripherals based on the Bluetooth standard contain cryptographic locks that can only be unlocked through a time-tested pairing process.

The other weakness that makes BadUSB attacks possible is the lack of cryptographic signing requirements when replacing device firmware. The vast majority of USB devices will accept any firmware update they’re offered. Programming them in the factory to accept only those updates authorized by the manufacturer would go a long way to preventing the attacks. But even then, devices might be vulnerable to the same types of rooting attacks people use to jailbreak iPhones. Code signing would likely also drive up the cost of devices.

“It’s the endless struggle between do you anticipate security versus making it so complex nobody will use it,” Nohl said. “It’s the struggle between simplicity and security. The power of USB is that you plug it in and it just works. This simplicity is exactly what’s enabling these attacks.”

PROMOTED COMMENTS

So, does turning off autoplay on USB devices mitigate or prevent this attack or are we still screwed even if it is turned off and someone plugs a malicious USB thing into our computer?
Yes, I read the article but by the middle I was going “Wha?” and scratching my head puzzling over this.

My understanding is that if you plug it in, it will infect, auto play or not, and that this is not limited to any one operating system. This attack vector uses the actual firmware on the USB device, which tells the computer the type of device being plugged in. So you plug in an infected usb storage device, and it tells the computer that it’s also a keyboard. Then it types commands as though you were doing it at your actual keyboard.

Call me thick, but wouldn’t it be rather obvious that your USB memory stick is being a keyboard, because it can’t also be a memory stick. i.e. where the hell have all my files gone?

You aren’t being thick, but you’re wrong in thinking a USB device can only be one thing. There’s nothing stopping a USB Flash Drive being fully functional as a USB Flash Drive whilst also surreptitiously acting as a keyboard if it’s firmware has been modified to advertise it as such. A USB device can have multiple device ID’s and able to process commands as any of them.

Back in the early days of 3G dongles, they would show up as both the dongle itself and as a virtual CD drive from which to install the device driver from. this attack vector is the same concept, only for malicious intent and not built into the device intrinsically.

This one, people can protect themselves from by using charging cables that do not actually havethe data pins. Which are a good idea to carry while traveling, if you’re not bringing your own trusted charging devices with you.

I have a hard enough time convincing my parents-in-law to stay off the “Free WIFI” SSIDs at the airport; now I need to convince them to use a special charging cable because of “malicious USB ports”? Ha. Fat chance. That’s not only a behavior change but also an expenditure of money, all for a threat they can’t identify.

Hacks where there is no visual difference in the operation of the device, like this one, are completely stealthed to the majority of end users. Trying to explain it just sounds like paranoia. “See? My phone is charging just fine and I can play my games, check my bank balance, and everything.”